Solved

Spam Problem

Posted on 2010-08-27
15
2,419 Views
Last Modified: 2012-05-10
Hi,
We run Exchange 2007 at our office.  One server is dedicated to Edge Transport, and the other server is Mailbox, Hub Transport and Client Access.  Some of the long time people at our office who have been here for 10 years get LOTS of spam daily.  The president of the company averages about 200 spam per day.

The Edge transport server really should really be taking care of this problem.
Here are some of the settings we use:
Content Filtering
Delete Messages -- Unchecked
Reject Messages -- Checked for SCL 7
Quarantine Messages -- Checked for SCL 6

Sender ID is enabled.

Sender Reputation Properties
Sender Confidence Level -- Checked
Action: 7

I updated to Exchange2007 SP3 last night so Version: 08.03.0083.000 is running on both of our servers.  Everyone is still getting the same amount of spam.

We are even using RBL's
zen.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
dnsbl-1.uceprotect.net
...and signed up to use Barracuda's service http://www.barracudacentral.org/rbl

It doesn't seem to make much of a difference at all.

I'm starting to wonder if we have an infected computer somewhere on our LAN that is spamming people.

How do all our settings look?
What do the experts have to say about this?

Thanks,
Jamie
0
Comment
Question by:jamorlando
15 Comments
 
LVL 7

Expert Comment

by:Paul Tozer
ID: 33542882
Can you get the message header from a few of the emails and post them
0
 

Author Comment

by:jamorlando
ID: 33543211
Here's a couple that went straight to inbox after our Exchange upgrade.  I have changed our actual company name to @ourcompany.com to protect the innocent :)

Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
 (192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
 2010 10:43:59 -0400
Received: from xs160.bestcarssite.info (64.202.124.160) by smtp.insertkey.com
 (192.168.210.130) with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010
 10:43:53 -0400
Message-ID: <7362058816035093985.4656b797cc6b9d7cc42e9bc3820d4e78.1119882280@xs160.bestcarssite.info>
Subject: NEWS ALERT: Apple iPad auctions for up to 95% off retail!
From: SwipeBids <SwipeBids@bestcarssite.info>
MIME-Version: 1.0
To: <joe@ourcompany.com>
Date: Fri, 27 Aug 2010 10:40:12 -0400
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Return-Path: SwipeBids@bestcarssite.info
X-MS-Exchange-Organization-PRD: bestcarssite.info
Received-SPF: Pass (exchange02.iks.bz: domain of SwipeBids@bestcarssite.info
 designates 64.202.124.160 as permitted sender) receiver=exchange02.iks.bz;
 client-ip=64.202.124.160; helo=xs160.bestcarssite.info;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Pass;OrigIP:64.202.124.160
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: PASS


Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
(192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
2010 00:22:48 -0400
Received: from otenet.gr (87.202.56.2) by smtp.insertkey.com (192.168.210.130)
with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010 00:22:48 -0400
From: Sale on sexual boosters <subazino3279@otenet.gr>
To: <tjohnson@ourcompany.com>
Subject: Dear customer tjohnson, here's 70% Sale invitation.. who replacing
Date: Fri, 27 Aug 2010 07:23:03 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <adfb8897-6bfd-415b-8a0e-73976cdf08fd@exchange02.iks.bz>
Return-Path: subazino3279@otenet.gr
X-MS-Exchange-Organization-PRD: otenet.gr
Received-SPF: None (exchange02.iks.bz: subazino3279@otenet.gr does not
designate permitted sender hosts)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:87.202.56.2
X-MS-Exchange-Organization-SCL: 3
X-MS-Exchange-Organization-SenderIdResult: NONE
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 33543589
See this document:
http://technet.microsoft.com/en-us/library/bb124696(EXCHG.80).aspx

The edge server requires tuning to aggressively block spam.  I'm not even convinced that by itself it would be a great solution without some other software like Forefront, GFI MailEssentials, Symantec Brightmail etc.
0
 

Author Comment

by:jamorlando
ID: 33544105
Trust me ... I've read about ALL these settings, and it doesn't seem to make a difference.  When I set them too aggressively, people start not receiving important business emails.

I think it's unacceptable that third party software be the solution to this problem.

In any case, I'm still wondering if someone on our network has a virus that's spamming people?  I have no idea how I would even test this unless we shut off every desktop and server here except for the two exchange servers.
0
 

Author Comment

by:jamorlando
ID: 33545442
If you notice in the first message header I posted, the SCL is 0!  How can that be????  The email address is from SwipeBids@bestcarssite.info ... even a 2 year old would know that's spam.

Come on guys, I know there has to be something to fix this.
0
 
LVL 7

Accepted Solution

by:
Philonator earned 333 total points
ID: 33549648
I agree with Fr0zT 100%, the edge blocking doesn't work well.  I have found it just take the worst of the worst out and that's it.  I do not think you have an infected machine on your local site.  Once your email is on a spam list, the spammers sell it to other spammers and it never ever stops.

I know you don't want a third party solution but Microsoft has a great virus/spam filter for under $1/yr/mailbox. Its called Forefront online protection for exchange.  
0
 

Author Comment

by:jamorlando
ID: 33558421
Philonator, I like that there is a free 30 day trial.  I'm going to set this up.  Has anyone used this product?  Success?
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 7

Expert Comment

by:Philonator
ID: 33558680
I have tried it one one client and we are going to recommend it for more.  It is working sweet.  You can schedule a sales demo with them.  The most negative parts is that you need to sign a 3 yr agreement (but don't let that bother you.) and change mx records.  After that it is smooth sailing.

You basically redirect your mail to Microsoft first, they filter it, and then is sent to your exchange server.  There are other options you buy from them like archiving and encryption at the same low price.  Its relatively new, but I can see this product taking some serious market share from barracuda and others.

last two thoughts:  I hated the idea at first, but once it was in place I became a believer and  I swear I am not a sales rep for them!
0
 

Author Comment

by:jamorlando
ID: 33558704
It says $1.75 per user.  We have around 100 outlook users, however only about 10 of them get spam.  Can you only set it up for the 10 users, or would we have to pay for all 100?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558756
When you point the mx records all mail will be filtered.  So technically you need to buy it for all users and service accounts.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558805
BTW- buy it through a reseller like ingram or tech data and you will get the $1 a mailbox discounted price.
0
 

Author Comment

by:jamorlando
ID: 33558986
Awesome to know about Tech Data... we use them here all the time.
Another question:  Can we ditch our Edge Transport server if we get FOPE implemented?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559279
I would like to say yes, but is that all the edge server is doing?  When we implemented it we left everything is place first, and saw that it was doing what it advertised to do.  We then started removing equipment and programs without issue.
0
 

Author Comment

by:jamorlando
ID: 33559298
Ok, I'll feel it out.  I'm going to get the trial, and if I have any more questions, I'll put it in the discussion or open a new thread.  Thank you!
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559316
Post back to this thread either way what you do.  I think it would be helpful to others.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now